The following reply was made to PR docs/93130; it has been noted by GNATS.
From: "fbsd_user" <fbsd_user at a1poweruser.com>
To: <bug-followup at FreeBSD.org>,
"Fbsd_User" <fbsd_user at a1poweruser.com>
Cc:
Subject: Re: docs/93130: addition to handbook section 14.11 Open SSH
Date: Sun, 12 Feb 2006 19:34:56 -0500
This is a multi-part message in MIME format.
------=_NextPart_000_003B_01C6300B.67684CE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
There was a typo in the text I posted in the bug-report.
Use the text in the attached file.
------=_NextPart_000_003B_01C6300B.67684CE0
Content-Type: text/plain;
name="Example of configuring OpenSSH.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="Example of configuring OpenSSH.txt"
Example of configuring OpenSSH
Environment description:=20
In this example we have a FreeBSD system which we will call the host.=20
We have an Remote FreeBSD system which is located some where on the =
public internet,=20
we will call this the FBSD-client.
=20
We also have an Remote MS/windows system which is located some where on =
the public internet,=20
we will call this the Win-client.
OpenSSH has a few different security levels when it comes to how the ssh =
login is handled.=20
This example details the encrypted host/client key with passphrase =
method.=20
This method gives the maximum protection possible utilizing ssh. =20
Host setup steps.
1. Edit /etc/rc.conf and add this statement
sshd_enable=3D"YES"
Make sure your firewall allows port 22 in from the public internet.
Reboot your system to activate sshd and login as root.
If this is your first time booting with sshd you will have to=20
create the host keys.
sshd will show you this on the first sshd boot only.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
Type a full screen full of random junk to unblock
it and remember to finish with <enter>. This will
timeout in 300 seconds, but waiting for
the timeout without typing junk may make the
entropy source deliver predictable output.
Just hit <enter> for fast+insecure startup.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
kern.random.sys.seeded: 1 -> 0
qkcir83,2jsn40pl722jjbqok ---- this is the example junk entered
Generating public/private rsa1 key pair.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
ed:5d:97:dc:49:98:36:66:fc root at domainname
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
67:e7:90:04:0e:27:2e:d2:97:6a root at a1poweruser.com
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
96:db:50:5c:9e:69:88:26:28:54 root@ domainname
2. If you do a "ps ax" command you will see sshd as one of the running =
tasks.
3. Using adduser or pw command create a normal user account.
For this example we will use bob as the host user account name.
4. Hit alt/f2 at same time to open second session and login using bob.
5. Run this command ssh-keygen -t rsa
Just hit enter to take default location and file name
No need to enter a pass phrase for the host user here, just hit enter =
2 times
This is what you will see
=20
Generating public/private rsa key pair.
Enter file in which to save the key (/bob/.ssh/id_rsa):
Created directory '/bob/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /bob/.ssh/id_rsa.
Your public key has been saved in /bob/.ssh/id_rsa.pub.
The key fingerprint is:
e7:e6:8f:d3:b1:b4:08:27:09:d2 bob at domainname
6. If you want to ssh login as Host 'root', you have to run step 5=20
above while logged in as root on the host.=20
Also edit /etc/ssh/sshd_config and change this statement
#PermitRootLogin no to PermitRootLogin yes
Then killall -HUP sshd to make sshd task reread it's sshd_config =
file. =20
=20
FBSD-client setup steps.
1. Using adduser or pw command create a normal user account.=20
For this example we will use remotetom as the user account name.
2. Login using remotetom.
3. Run this command ssh-keygen -t rsa
Just hit enter to take default location and file name
At the "Enter a passphrase prompt" [enter one and write it down, =
because it will be needed for ssh login to the host].=20
This is what you will see
=20
Generating public/private rsa key pair.
Enter file in which to save the key (/remotetom/.ssh/id_rsa):
Created directory '/remotetom/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /remotetom/.ssh/id_rsa.
Your public key has been saved in /remotetom/.ssh/id_rsa.pub.
The key fingerprint is:
e7:e6:8f:d3:b1:b4:08:27:09:56:de:d2 tom at domainname=20
4. The Public key file you just created /remotetom/.ssh/id_rsa.pub has =
to be
sent to the Host system. On the host system rename it to =
authorized_keys2=20
and put it into the home directory of the user setup earlier.=20
In this case ~/bob/.ssh/authorized_keys2.=20
5. To ssh to the host enter this ssh hostname or ssh host-ip-address
The first time you ssh to the Host you will get these messages.=20
Answer yes if you are sure this first connection is with your =
targeted host.
Enter exit to terminate session.
# /home/remotetom/.ssh >ssh 10.0.10.2
The authenticity of host '10.0.10.2 (10.0.10.2)' can't be =
established.
DSA key fingerprint is =
67:e7:90:04:0e:27:2e:d2:97:9d:7b:62:7e:c9:32:6a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.10.2' (DSA) to the list of known =
hosts.
Enter passphrase for key /remotetom/.ssh/id_rsa
This is where you enter the pass phrase you entered while running=20
ssh-keygen on this remote client. (remotetom)
You are now logged into the Host account bob.
Every time you ssh login again you will just get this prompt
Enter passphrase for key /remotetom/.ssh/id_rsa
7. At this point the Host user bob can login from Host console, or =
using telnet=20
from a local LAN machine, or from the public internet if your host =
firewall=20
has port 23 open. If this user is to be only allowed remote ssh =
client access=20
you can use vipw command to edit the system's master password file =
and star out=20
his encrypted password. This will deny login from anywhere except =
remotebob
bob:$1$FXF.CEpf$B2cF:1001:31::0:0:remote ssh user only =
#:/home/bob:/bin/csh
=20
edit it to look like this
bob:*:1001:31::0:0:remote ssh user only #:/home/bob:/bin/csh
8. At this point, if remotebob is a notebook pc he can ssh login from =
any place=20
in the world. If remotebob is always working from home using ip=20
address 192.168.1.32 you can add another level of security by =
restricting his=20
login to come from that ip address. Do that by adding this statement =
to the=20
Host /etc/ssh/sshd_config file
AllowUsers bob at 192.168.1.32
=20
Win-client setup steps.
1. You have to get windows putty program from
http://www.chiark.greenend.org.uk/~sgtatham/putty/
Download the current windows installer program.
Currently that's putty-0.58-installer.exe
2. Run the installer.exe and take all the defaults.
3. start/programs/Putty/Puttygen
This will create your private and public ssh keys
At the bottom of the window select ssh2-rsa
Click on generate button.
After keys are created then enter your pass phrase.
=20
Then click on 'save public key' button.
Save it to c:/programs/putty/ putty_public_rsa_key
=09
Then click on 'save private key' button.
Save it to c:/programs/putty/ putty_private_rsa_key.ppk
=09
In the window area labeled=20
"Public key for pasting into Open SSH authorized_key file"=20
Highlight that content and past it into a notepad text file named
win_authorized_keys2.txt
4. The win_authorized_keys2.txt file has to be sent to the Host system=20
and put in the ~/home/bob/.ssh/ directory. In this example both the=20
FBSD-client & the WIN-client will both use the same Host user =
account=20
to ssh login to.=20
Since the ~/home/bob/.ssh/authorized_keys2 already contains the=20
private key for the FBSD-client you have to append the=20
win_authorized_keys2.txt content to it.
cat win_authorized_keys2.txt >> win_authorized_keys2
=20
If bob is to only be used by WIN-client then just=20
cp win_authorized_keys2.txt authorized_keys2
5. start/programs/putty/putty to run it
On the bottom of the window click on "never exit"
Under protocol be sure ssh is clicked
=09
On the left side click on 'SSH',=20
then in the 'preferred ssh protocol version'=20
click on '2 only'.
=09
On the left side click on 'AUTH', remove check mark from =20
'Attempt keyboard-interactive auth (SSH-2) .
=09
On the left side click on 'Sessions' to return to main login window.
Enter you host name (IE; your official registered domain name of the =
Host box)=20
or it's IP address. Then type a name in the saved session window and =
click on save
button. =20
Now click on the open button at bottom of window to login to the =
host.
An ms/dos window will open up and you will receive 'login as' prompt =
Enter bob
Then you get
Authenticating with public key "rsa-key-20060209"
Passphrase for key "rsa-key-20060209":
At this point enter the pass phrase you entered when you ran=20
start/programs/Putty/Puttygen to create the rsa keys on the client =
remotetom.
You are now logged into you host box using SSH. You have all the =
privileges that
host user bob has when you created him.
Every time you start/programs/putty/putty highlight the name of =
your saved
session and click on the load button. This will restore your saved =
session
configuration, then click open to launch.
Conclusion;
=20
Once you open ssh's port 22 in your firewall it wont be long before your =
auth.log=20
starts filling up with failed login attempts. About 99 percent of these =
failed=20
login attempts are script kiddies or robots. Their attacks are all most =
totally=20
based on indiscriminate rolling through a range of sequential IP =
address.=20
(IE: They never use DNS to lookup your domain name.) You were found by =
plain bad luck.=20
They run scripts that address the know ports listened on by those =
services which=20
accept logins. You use this knowledge to defend against this type of =
attack.
The simplest defense is to change the port number ssh uses. The =
/etc/services is where
the port number used by SSH is defined and where you would change it at. =
Remote clients=20
who want to access your host system will have to enter the alternate =
port number as part=20
of the login command.=20
ssh -p 77777 hostname or host-ip-address
=20
[-p 77777 is the example alternate ssh port number you specified in =
/etc/services file]
or edit /etc/ssh/ssh_config on the remote client and change this =
statement from this
# Port 22 to Port 77777 [to make the alternate port number =
permanent]=20
Windows gutty also has way to change the default ssh port number right =
on the login window.
You will have to open your firewall for the alternate port number you =
assign to ssh for this=20
to work.
The technique of assigning a non-standard port number for SSH is =
security through obscurity=20
and is one of the first and easiest security measures an administrator =
may consider.=20
By no means does this provide protection from the dedicated attacker who =
has targeted=20
your IP address for some reason. This is just the first security level =
of hiding through=20
obscurity from the majority of script kiddies and their robots. You will =
be surprised at=20
how effective this really is at discouraging repeat port scan attacks =
and fraudulent login=20
attempts.=20
------=_NextPart_000_003B_01C6300B.67684CE0--